NASA KSC Response to Employee Laptop Theft

We wanted to provide you a heads about an IT security incident here at NASA's Kennedy Space Center.

A civil servant with Kennedy's human resources office reported on March 5, 2012 that an agency laptop computer was stolen from the employee's personal vehicle outside the employee's private residence in Orange County, Fla. The laptop contained Personally Identifiable Information (PII). An email notification letter about the incident, which is pasted below, was sent from the center's human resources office to about 2,300 affected civil servant employees and student co-ops at Kennedy this afternoon.

While the probability is low that Kennedy employees' personal identifiable information will be exploited, NASA is responding to this from a "worst case scenario" perspective to help prevent any personal or financial harm from coming to the employees whose information was in the stolen laptop. NASA is providing each affected employee with one year's worth of free cyber, identity, and credit monitoring and recovery services.

Originally, a limited number of employees and less sensitive personal data were thought to be on the stolen computer. But as part of the investigation and response to the theft, NASA IT, security and human resource personnel confirmed (through backed-up records of the stolen computer stored on protected agency servers) more precisely what information was contained on that laptop, and it was learned on March 14 that many more employees and more sensitive data, including social security numbers, were involved. NASA is sending "letters of notification," first in the email below, to provide faster notification, and then by paper letter by March 19, to affected employees.

Additional steps are being taken to help protect sensitive data, such as a full review of current IT security policies and practices with the goal of making changes to prevent a similar incident. Besides the current password protection, all laptop computers at Kennedy, not just ones with PII or sensitive data, will have their hard drives encrypted by September 2012. This plan was in works before the laptop was stolen. In addition to the letter of notification email today, a centerwide email was sent to all Kennedy Space Center civil servants reminding them of the importance of protecting mobile IT equipment and data. And more preventative actions and "lessons learned" are expected to follow in the coming days and weeks to help stop this from happening again.

Below is the notification email sent today:

You are receiving this communication to make you aware of a situation involving a potential compromise of Personally Identifiable Information (PII). All affected individuals will receive a subsequent communication through the U.S. mail at their home address.

On March 5, 2012, a NASA laptop computer containing sensitive Personally Identifiable Information (PII) was stolen from a NASA KSC employee. We have verified that personal information was contained in the files that were on this laptop at the time it was stolen. The files included information on NASA KSC employees such as name, social security number, race, national origin, gender, contact phone number, e-mail, date of birth, college affiliation, and grade point average.

Local and NASA law enforcement authorities are now conducting inquiries into the theft and the resulting potential for compromise of sensitive information.

NASA takes this loss very seriously and has convened a Breach Response Team to address this situation. The team also is reviewing current policies and practices to determine what steps must be taken and what changes must be made to preclude a similar occurrence in the future.

We do not believe that the PII contained in the files on the laptop computer was the motive for the theft. In addition, because the laptop computer was password protected, we also believe the probability is low that the information will be acquired and used for an unlawful purpose. At this time, there is no evidence to suggest that there has been any attempt to misuse any of your personal information. However, we cannot say with certainty that PII is safe, so KSC has arranged with a company called Idexperts to provide affected individuals with cyber, identity, and credit monitoring and recovery services to help protect their identity, without cost, for a period of one year from the time of registration.

Next week a letter including a unique fraud monitoring enrollment code assigned by Idexperts will be mailed to affected individuals at their home address. This unique code will allow those affected to enroll with Idexperts to begin monitoring services (Note: recovery services are retroactive to March 5). Employees who want to activate the monitoring service prior to letter receipt should send an email request to xxxxxxxxxxxxxxxxxxx from their government email address. We encourage those affected to take advantage of this free service.

Additional information on identity theft can be found on the Federal Trade Commission web site: http://www.ftc.gov/idtheft. The web site also provides other valuable information that can be used now or in the future if problems should develop.

We deeply regret and apologize for any inconvenience and concern this breach may cause you. Should you have any questions, a dedicated phone line is available for support at (321) XXX-XXXX between 7:30 am and 4:00 pm (Monday through Friday).